1f21358bbe047db68a70e706e4b22658453082a6f110b02b8ac6acf5dd11f419

General

Target

7745cf213dbcf4ff5ed623ede5ef1b71.exe
Size

5.1MB
MD5

7745cf213dbcf4ff5ed623ede5ef1b71
SHA1

8680c856c3efb9574c3e7d6f43134e3b4e32f82d
SHA256

1f21358bbe047db68a70e706e4b22658453082a6f110b02b8ac6acf5dd11f419
SHA512

386560eebd87193c06e2cf88d823a2b9df4697d2d58349a5e5fe06bac259319752852c6f7072e461fbec6a278af6f0963f1a88c75fbbf5baaa3632a2e2709038
SSDEEP

49152:dYmo8iZ5J+9+hGuLCzrhAmaVekwJ8/b/lEYZ3PlTay35bkrfg8FYri+ts5EjdZwS:dZiXMsCzroD530g2yOEjjs9/g3

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2124	7745cf213dbcf4ff5ed623ede5ef1b71.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	7745cf213dbcf4ff5ed623ede5ef1b71.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-1-0x0000000000400000-0x0000000000D9E000-memory.dmp	upx
behavioral1/files/0x000c000000012321-14.dat	upx
behavioral1/files/0x000c000000012321-13.dat	upx
behavioral1/files/0x000c000000012321-11.dat	upx

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7745cf213dbcf4ff5ed623ede5ef1b71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7745cf213dbcf4ff5ed623ede5ef1b71.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7745cf213dbcf4ff5ed623ede5ef1b71.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7745cf213dbcf4ff5ed623ede5ef1b71.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe
2124	7745cf213dbcf4ff5ed623ede5ef1b71.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2124	1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe	28
PID 1900 wrote to memory of 2124	1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe	28
PID 1900 wrote to memory of 2124	1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe	28
PID 1900 wrote to memory of 2124	1900	7745cf213dbcf4ff5ed623ede5ef1b71.exe	28

C:\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe
"C:\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe
  C:\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe

Filesize
3.0MB

MD5
199599f42aedd2b4efc61bba7afea9ae

SHA1
1fea2714083c9ba525be38f0e0a88643a4bcc90d

SHA256
87106d2360c8806b85c5af280968f9d52d0d9eec0cb61a2f00ad9235a5e0554a

SHA512
0306633eb3b8e515914e26372c5fa8a3a43bbb9d07a58c4b5f4244e0fe54b939a73b3a81188e4d24ca61f23363ba542f230596b51aea193b1806dfa3b32f3c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe

Filesize
2.2MB

MD5
7008b47d0b10574287aae7fcfe69aa57

SHA1
85c599adab3e59973c15c41baee5d1cd6b9057b5

SHA256
881c7d4e0fcd6d8b1b1af30894f3f6329b8ca49b0f35e4d8b6df8f8d50f6c7d7

SHA512
330f3947e1c36398288dcf5aea7032bfd054c742f901ae1596494dd49c9567d33a31e4e6a0e77b86b53bfb363022880b55622b47dfae2b5a5748a7ce6a7b722a

Download Submit
\Users\Admin\AppData\Local\Temp\7745cf213dbcf4ff5ed623ede5ef1b71.exe

Filesize
3.0MB

MD5
a10be7eaac881db543c7ddf9993eef7f

SHA1
d413ff0cb7b17033123fb26dc25731edb1aff978

SHA256
5a6da009e188ae3426eab23683b78dc691b6aeaaa7f7f9075bd09417c9360854

SHA512
fa360ad62ba431237c0398f32112e44ad82cbfb553403d076c3a9dec59c59d97e21b028fd19a592c154d2cd1c5ca90e8cb217102be8fdb8ca767b5e51aad9360

Download Submit
memory/1900-1-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/1900-3-0x0000000002240000-0x000000000249A000-memory.dmp

Filesize
2.4MB

Download
memory/1900-0-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1900-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1900-16-0x0000000004300000-0x0000000004C9E000-memory.dmp

Filesize
9.6MB

Download
memory/1900-43-0x0000000004300000-0x0000000004C9E000-memory.dmp

Filesize
9.6MB

Download
memory/2124-19-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/2124-21-0x0000000001FA0000-0x00000000021FA000-memory.dmp

Filesize
2.4MB

Download
memory/2124-44-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing